Microsoft exposes vulnerabilities in OpenVPN -- millions of devices at risk

2 Comments

Microsoft researchers have revealed a series of medium-severity vulnerabilities within OpenVPN, an essential open-source VPN solution embedded in myriad routers, PCs, and smart devices worldwide. The vulnerabilities, if exploited, could allow attackers to execute remote code and escalate privileges, gaining unauthorized access to potentially millions of devices.

The research team demonstrated how these vulnerabilities could be chained together to form a potent attack sequence, culminating in attackers taking complete control over affected devices. This complex attack vector requires user authentication and a sophisticated understanding of OpenVPN’s architecture, highlighting the need for robust security measures.

OpenVPN is used across various platforms including Windows, iOS, macOS, Android, and BSD, serving as a critical security tool for thousands of enterprises globally. The vulnerabilities affect all versions of OpenVPN up to 2.6.9 and 2.5.9, posing a severe risk to unprotected endpoints and enterprise systems.

The vulnerabilities, reported through Microsoft's Coordinated Vulnerability Disclosure program in March 2024, have been addressed by OpenVPN in their latest releases (2.6.10 and 2.5.10). Users are urged to update their systems immediately to mitigate potential risks.

The disclosed vulnerabilities include:

  • CVE-2024-27459: Could cause denial of service (DoS) and local privilege escalation (LPE) on Windows platforms.
  • CVE-2024-24974: Allows unauthorized access on Windows.
  • CVE-2024-27903: Enables remote code execution (RCE) and local privilege escalation (LPE) across Android, iOS, macOS, and BSD platforms.
  • CVE-2024-1305: Leads to a denial of service (DoS) through the Windows TAP driver.

Microsoft provided detailed mitigation strategies and emphasizes the importance of applying the latest patches. The company also praised OpenVPN for the prompt response and collaboration in address these issues, reinforcing the significance of responsible vulnerability disclosure in maintaining global cybersecurity.

2 Comments
Got News? Contact Us

Recent Headlines

Apple unveils AirPods 4 and introduces hearing health features in AirPods Pro 2

Apple Watch Series 10 debuts alongside Apple Watch Ultra 2 in black titanium

Forget Google Pixel 9 Pro, Apple iPhone 16 Pro is the AI smartphone you really want

Apple launches iPhone 16 with advanced A18 chip, enhanced camera features and Apple Intelligence

ADATA launches XPG LANCER NEON RGB DDR5 gaming memory

DoorDash partners with Magnolia Bakery to deliver exclusive new banana pudding flavor through DashMart

TP-Link launches Omada Cloud Essentials for cloud-based network management

Most Commented Stories

Forget Windows 11, the stunning Windows 10 2024 Edition is the operating system you want

34 Comments

10 shocking reasons Windows 10 outshines Windows 11

22 Comments

Rectify11 update arrives to fix Windows 11 -- download it now

18 Comments

Forget TeamViewer, RustDesk is the open-source alternative you've been looking for

15 Comments

Microsoft is testing a change to the Windows 11 Start menu that you might actually like

14 Comments

Say goodbye to Microsoft Windows 11 and hello to Nitrux Linux 3.6.1

14 Comments

Forget Microsoft Windows 11, the Chinese-made deepin Linux 23 is the operating system you really want

12 Comments

Goodbye Windows 11, hello Linux: Discover how ExTiX Deepin 24.8 can free your computer from Microsoft

11 Comments

© 1998-2024 BetaNews, Inc. All Rights Reserved. Privacy Policy - Cookie Policy.